Recently, most of malware such as a bot and a downloader acquires/executes a program code from a site installed with a malicious program (hereinafter referred to as a malware download site) and performs functional expansion. In such functional expansion, a function to cause additional damages such as attack to an external server and exploitation of information may be added. Therefore, in order to minimize the damages after infection, it is necessary to obstruct communication to the malware download site and block functional expansion.
Recently, there is a countermeasure taken in which a blacklist of communication destinations obtained from dynamic analysis on malware is created in order to obstruct communication to the malware download site. Since the malware acquires/executes a program code also from a legitimate site as well, in the case where all of the communication destinations obtained from the dynamic analysis are included in the blacklist, communication may be erroneously cut off.
Therefore, as disclosed in Non Patent Literature 1, a download site is identified based on whether a downloaded file is malware. Generally, determination processing on whether malware or not is performed based on an inspection result of antivirus software and behavior such as registry operation occurring at the time of file execution.